Also, I would only grant membership to those who have demonstrated skills and maturity. Even then I'd almost make them forfeit their firstborn (in writing) before handing anyone that set of keys to the kingdom...

I have both a user and admin profile. I login as a user under normal circumstances which reduces the chance of an accident happening while privileges are elevated. Things like checking e-mail, browsing the net for cool new technology and checking spiceworks dont need admin privileges.

Whilst I agree it is still best to use a less privileged account when possible, I think people forget that Windows 7 (and Vista) kind of does some of this for you. When you log on as a user that is a member of Domain Admins, you do not actually have any admin permissions on that machine until you run something "elevated" which requires you to either manually right click and do Run As Administrator or to click Yes on a UAC prompt that a program presents to you.

Accessing network resources is different though, as you still have your domain admin permissions when you go out onto the network to try and access files or other resources (although mapped drives behave slightly differently). Which is why I say UAC doesn't completely solve the issue, it only protects your local PC really.